From Theory to Reality: Building a Secure Cloud Environment

for Diagnostic Imaging

Kristina Kermanshahche Chief Architect, Healthcare

Intel Corporation February 2012

Patrick Koch Business Director, WW Vue Cloud Services Carestream Health

Agenda

• Intel Secure Healthcare Cloud: • Healthcare & Cloud Computing Trends • Core Requirements & Design Considerations • Strategy for Adoption • Technology-Differentiated Services

• Carestream Cloud-Based Diagnostic Imaging:

• Challenges & Benefits • Industry proof points and usage models • Architecture & Infrastructure • Demo

2

Healthcare & Cloud Computing Trends

3

Evolution of the Datacenter

Cloud Infrastructure

Network Storage Compute

Security

Datacenter facilities (e.g. cooling, power) Compute Network Storage

Management Unified Network

Servers Storage Arrays

Mgmt

VM VM VM VM

Discrete Datacenter

Virtualized Datacenter

Cloud Datacenter

Efficient and Secure Open Architecture Flexible Network Flexible Management

10G Unified Network Consolidation Discrete networks

4

• Enormous economies of scale • Efficiencies in size; buying power, infrastructure, power consumption • Unparalleled resource utilization

Efficiency

Agility

Availability

Services

• Improve provisioning time from days to hours • Automate workflows to enable consistency, agility and elasticity • Pay for the resources you actually use

• Deliver high availability for all workloads, regardless of location • Protect IP, data and differentiated business processes • Provide secure, broad network access on authenticated devices

• On demand, self-service portal to streamline business processes • Establish measured services for VM utilization, health and usage • Apply actual application consumption for IT capacity management

High-Level IT Strategies and Goals Business Benefits

Healthcare Utility &

Value-Add Services

• Address scarcity by effective allocation of resources & expertise • Leverage ecosystem for non-core competencies, achieve

economies of scale • Accelerate standards adoption through lower barriers to entry • Build the network value model of exchange

Cloud Computing Business Drivers

5

The Rise of Healthcare “Big Data”

6

• Diagnostic Imaging

– Average hospital requires 175TB for images & clinical records. Consumes additional 15 TB annually1. Data archive for 20+ years.

– In 2006, primary copy storage for all U.S. imaging = 24 Petabytes (assumes no duplication for RAID, archive, disaster recovery)2

– By 2014, US primary copy storage expected to reach 100 Petabytes2

• Genomic Data

– The Human Genome consists of 3 billion base pairs, unannotated, requires 3 Gb of storage uncompressed3

– In 2007, Baylor College of Medicine required 125 TB, with projected 25-fold increase in storage over the following two year period4

– Digital data projected to reach 35 Zettabytes by 2020, a 44-fold increase from 20095

1 John Halamka, CIO, Beth Israel Deaconess, http://geekdoctor.blogspot.com/. 2 “Prepare for Disasters and Tackle Terrabytes When Evaluating Medical Imaging Archiving,” ©2008 Frost & Sullivan. 3 Human Genome Project FAQs, http://www.ornl.gov/sci/techresources/Human_Genome/faq/faqs1.shtml. 4 Baylor College of Medicine, Human Genome Sequencing Center, http://www.cwhonors.org/viewCaseStudy.asp?NominationID=340. 5 IDC Digital Universe Study, sponsored by EMC, May 2010

Core Requirements & Design Considerations

7

Neurosurgeon views imaging studies, latest lab results; consults with Radiologist, Specialists

Specialists agree on treatment plan with Neurosurgeon& Radiologist

Patient arrives at ER with complications from brain tumor

Radiologist analyzes current MRI, compares with prior imaging study from remote hospital

ICU nurses view imaging studies, update chart with patient vital signs, status

Cloud Vendor Neutral Archive

Care Coordination Use Case

Smart Phone

Shared Workstation

Laptop

Operating Room Radiology Emergency Room

Client-Aware Cloud

Trust Broker

Intensive Care Neurology

1 2 3 4 5

8

Barriers to Healthcare Cloud Adoption

• Data protection and regulatory compliance require data transparency • May prevent PHI from being hosted in another country • May restrict or prohibit trans-border flow of information

• Onsite data centre audits may be impractical for cloud providers • SAS 70 Type II/SSAE16 certification, ISO/IEC 27001 • EU Directive 95/46/EC or HIPAA-compliant cloud providers

• Service-model dependent • Provisioning & automation software built against proprietary APIs • Cost of entry may be low, cost of exit may be high

High-Level IT Areas of Concern Business Concerns

• Must protect sensitive information at rest and in transit • Costs associated with data breach are rising • Cloud services and virtualization break traditional perimeter-oriented security techniques

Vendor Lock-in

Auditability & Compliance

Data Transparency

Security & Privacy

9

General Deployment Considerations Availability

– Service Level Agreements, Recovery Time Objective (RTO), Recovery Point Objective (RPO) – Application Architecture, Fault Tolerance, Network Design – Business Continuity / Disaster Recovery plans

Network Design – Network dependency / carrier diversity – Suitable, geographically-dispersed, failover data centers

Performance – Workload peak/min sizes & variability, network bandwidth, performance constraints – Monitoring, Notifications & Alerts – Start-up costs (cloud on-boarding) & risks of vendor lock-in

Regulatory – Data Protection Regulations & Locale Constraints – Data Loss Prevention, Breach Notification – Independent Attestation

Security – Defense-in-depth, boundary controller, secure perimeter requirements – Multi-tenancy risks & benefits, application security, end-to-end security model – Isolation vs. efficiency (security vs. cost tradeoff) – Administrative, Physical and Technical Controls

Governance – Availability of IT expertise, Training & Employee Policy – Security & Privacy policies, governance – Risk Assessment & Mitigation

10

Secure Healthcare

Cloud:

Strategy for Adoption

11

What is Secure Healthcare Cloud?

• Strategy for adoption with phased implementation • Best practices, standards and technologies • Design principles, deployment considerations, and

governance models • Worldwide program, key learnings, virtualization labs • Industry alliances including:

– Intel® Cloud Builders – Open Data Center Alliance (ODCA) – European Network & Information Security Agency (ENISA) – Cloud Security Alliance (CSA)

• Comprehensive set of latest security technologies & solutions covering end-to-end cloud deployment models

• Robust set of ecosystem partners to deliver complete solutions

12

Secure Healthcare Cloud Defining Characteristics Highly Available

– Designed for failure, mitigate risk of data loss, minimize potential for business disruption, tiered service levels, mutually contracted SLAs

– Geo-dispersed data centers, redundant and diverse network carriers – Failover/load balancing, stress testing for scalability and performance

Highly Secure – End-to-end security design, assess the risk profile of backend systems, the network,

identity assurance levels, and potential endpoint devices – Multi-Tenancy by design. Designed for breach and other failures, establishing a multi-

layer and defense-in-depth approach – Physical, technical and administrative controls including application security and

identity management, encryption at rest and in transit, provisioning, and backup, loss recovery, and secure destruction

– Compliance with international regulations on safe handling of protected information

Highly Transparent – Data federation services which isolate, secure, enforce sensitive workloads, as well as

establish evidence of consistent management practices – Independent attestation of security profile of underlying hosting environment, evidence

of consistent policy and security enforcement – Compliance with international audit standards

13

Adopting Secure Healthcare Cloud Current

Private Networks

Build/Grow Network of Private Clouds

External: Internet

Business Core

Utility • Identity Service • Controlled Terminology Service

• Clinical Data Repository

• Transformation & Normalization

SaaS • Scheduling/Triage • EHR • Care Coordination • ePrescribing • ePathology • Life Sciences – private / academic

Legacy Environments Internal Clients

External Clients

Utility

Interim Private + Limited Public Cloud

Federated Query/Identity

External: Internet

Utility • Service Directory • Record Locator • Trust Fabric with trading partners

• EHR Portals • Orchestration • Mediation

SaaS • Claims Processing, Adjudication

• Disease Registries • Knowledge Base • Public Health • Diagnostic Imaging

• Quality Reporting

Legacy Environments Internal Clients

External Clients

Trading Networks

Utility + Service

Future

External: Internet

Ubiquitous Hybrid Health Cloud

Utility • Master Consent & Authorization

• Broad Deployment Trust Fabric

SaaS • Clinical Decision Support

• Disease Mgmt • Secondary Use • Clinical Trials • Translational Medicine

Network Effect Drives Innovation

Legacy Environments Internal Clients

External Clients

Value-Add Data

Services

Trading Networks

Overcome scarcity by leveraging expertise and capacity in the cloud

14

Technology-Differentiated Services

15

16 * Other names and brands may be claimed as the property of others. Copyright © 2009, Intel Corporation.

Architect for the Cloud Today

Efficient World class energy

efficiency Open Multi-vendor

innovation with compatibility of

solutions

Secure Data protected at rest and in transit

Simplified Flexible IA

infrastructure and unified networking

Driving Technology Leadership to Enable the Cloud

Refresh with Intel® Xeon® 5600 and

Node Manager Deploy interoperable solutions and support

standards

Intel Trusted Execution and Virtualization

Technologies

Intel® Xeon® for servers & storage

Deploy 10GbE

Healthcare Big Data Moves to the Cloud

10TBs of Diagnostic Images for one type of test No encryption No data protection No Federation Forklift for capacity

Compression 50% savings1

Erasure code 29% savings1 Deduplication capabilities savings up to 70%1

The cloud provides cost efficient capacity scaling

data upload

data store

encryption algorithm

dedupe algorithm

compression algorithm

Intel® Xeon® Enables: Dynamically Available Capacity-scale to the cloud Added Data Protection & Sophisticated Capabilities Federated Data Access Across Medical Networks

erasure coding algorithm

Efficiency & Scalability 79% Disk Savings1

Medical Imaging

1 Intel calculations based on industry numbers for compression & erasure code

17

Ubiquitous Data Protection with Intel® AES New Instructions

Secure transactions used pervasively in e-commerce, banking, etc. 1 Full disk encryption software protects data automatically during saving to disk 2 Most enterprise applications offer options to use encryption to secure information 3

Internet Intranet

Secure transactions on Internet and Intranet

Full-disk encryption protects data on hard disks

Application-level encryption for automation and granularity

Name: J.Doe

SS# �ζ…χ∀∃

2

1

3

Allows broader use of encryption for better protection of sensitive health information

18

Carestream Cloud-Based Diagnostic Imaging

19

(Some of) CIO’s issues with their imaging IT

• Ensure Availability of Patient Data over a Lifetime

• Manage Unpredictable TCO with Unexpected CAPEX

• Enable Physicians Collaboration across Sites & Systems

20

How Do You Care For Your Data ?

© 2011, Carestream Health

• Is Your Infrastructure capable of hosting your data securely on-premises? (power redundancy, air/con, security, fire detection & extinction, etc)

• Is Your IT Team adequately skilled and staffed to adapt to ever changing retention and security requirements ?

• Is Your Architecture protected against technology obsolescence across the lifetime of data ?(software, servers, storage, etc)

21

Does Your PACS [Archive] Cost You Too Much ?

• Continuous expansion of storage capacities to absorb the exploding production of imaging data

• Upfront capital investment in capacities which stay unused and idle during most of their lifetime • Unpredictable Total Cost of Ownership over the lifetime of data (Investment, Maintenance, Expansion, Migration, Replacement)

22

Are Your Physicians Able to Share & Collaborate ?

• Ever frequent demand to get faster results on-site or on-the-go

• Integrate radiology workflow between disparate legacy imaging systems across multiple distant locations.

• Simple single-point of access to patient’s imaging record across the continuum of care for the community

23

© 2011, Carestream Health

Vue Cloud Now Introducing…

LIBERATING TECHNOLOGY.

24

p.25

© 2011, Carestream Health

A New Delivery Model for Software Cloud-based Services

Ownership Usage

Do-it-Yourself Service Level Agreement

Cloud-based Access

Point-to-Point Access

25

A Portfolio of Innovative Cloud Services

Vue Cloud by Carestream

Collaboration-as-a-Service

Teleradiology-as-a-Service

Cloud Portal

PACS -as-a-Service

Archive-as-a-Service

Regional Hospital

Physician’s Office

Reading Center

Rural Clinic

University Hospital

26

No change Vendor Neutral Infrastructure

Hospital

Physician’s Office

Carestream’s Responsibility Customer’s Responsibility

Service Boundary

Virtual Private Network (VPN)

Cloud Portal

Carestream Service Access

Point (local cache adapted

to needs)

Remote monitoring 24 X 7

Vue Cloud Platform Operated by Carestream In a Tier -3 Data Center

• Active Archive • Disaster Recovery • Unlimited retention

Vue Cloud By Carestream

DICOM [PACS, modalities]

Local Access (LAN)

HL7 [RIS, HIS]

IHE XDS-i [ECG, jpg, mpg

pdf]

Remote Secure Access

27

No change Vendor Neutral Infrastructure

Hospital

Carestream’s Responsibility Customer’s Responsibility

Service Boundary

Virtual Private Network (VPN)

Cloud Portal

Service Access Point

(local cache adapted to needs)

Remote monitoring 24 X 7

Vue Cloud Platform Operated by Carestream In a Tier -3 Data Center

DICOM [PACS, modalities]

Local Access (LAN)

HL7 [RIS, HIS]

IHE XDS-i [ECG, jpg, mpg

pdf]

Remote Secure Access

Behind the Cloud

Cloud Services Platform

Vue Cloud By Carestream

Application Servers

User Mgt Statistic Reporting

Audit & Security

Proactive Monitoring

Database Servers

Primary copy

Disaster Recovery copy

DMZ

28

Tufts Medical Center, Boston

Long Beach Memorial, CA

CHR Orleans, France

Nij Smellighen, Netherlands

Schwarzer Baer, Hannover

CMS Tokyo Group

Vue Cloud A Proven Global Platform

29

p.30

© 2011, Carestream Health

Community Hospital Going Cloud Archive

Customer Profile

• Busy 200 bed community Hospital

• Doing over 200,000 Diagnostic Radiology Studies per year

• Needed increased IT infrastructure for medical imaging

• Needed additional IT staff

• Wanted archive solution that was vendor neutral

• Wanted simple yet effective Disaster Recovery

Achievements

• Decided to subscribe to Vue Cloud Archive Service in 2007

• Currently have over 25TB stored in Carestream Cloud

• Currently have approx 1,000,000 studies stored in Carestream Cloud

• All images stored are in a standard DICOM Vendor Neutral Format

Long Beach Memorial Medical Center, Long Beach CA

Back

30

p.31

© 2011, Carestream Health

Teleradiology Services

Customer Profile

• 1st Private Teleradiology Service Provider in France

• Delivering on call reading services to independant hospitals, for emergency cases, outside business hours

• Growing rapidly, and therefore need scalable and vendor-neutral infrastructure to connect its clients and radiologists

Achievements

• Partnering with Actibase to deliver a teleradiology infrastructure as a service

• Grown from 1 hospital to currently 12 connected to the service in 18 months, all being widely dispersed across France

• Reading Center located in Lyon gets on-call studies automatically pushed from any customer locations

• Planning to connect 3 additional hospitals in coming quarter

Imadis, France http://www.imadis.fr/

31

p.32

© 2011, Carestream Health

Image Exchange Across A Community

Customer Profile

• Multiple independent hospitals & private imaging centers members of RHIO covering the Rochester County

• Looking at exchanging patient history available from other institutions to reduce retakes and improve quality of care

Achievements

• Partnering with Axolotl and eHealth Global Technologies to deliver an image exchange infrastructure as a service

• 8 Rochester healthcare institutions connected to the service

– 35,000 studies collected every month

– Hosted in CARESTREAM data center in Rochester (Frontier)

– Meta-data consolidated and images kept on-line for 2 months

– Radiology studies available on-demand from any institution

Rochester RHIO, New York, US

Back http://www.grrhio.org/

32

p.33

© 2011, Carestream Health

National Diagnostic Services

Customer Profile

• 39 hospitals across 16 health boards with legacy IT environment

• 3 millions studies per year, approx 120 TB

• 8,000 users across 2,000 wards

• Limited IT skilled within NSS

Achievements

• Private cloud with PACS/RIS/Archive (4 yrs)

• 2 fully redundant data centers with hot fail-over integrated to National EMPI

• Priors automatically pulled out of the national patient imaging record

• Radiology from multiple hospitals acting as a single department

Achievements

• Partnering with Actibase to deliver a teleradiology infrastructure as a service

• Grown from 1 hospital to currently 12 connected to the service in 18 months, all being widely dispersed across France

• Reading Center located in Lyon gets on-call studies automatically pushed from any customer locations

• Planning to connect 3 additional hospitals in coming quarter

National Radiology System, Scotland

33

© 2011, Carestream Health

Benefits of Vue Cloud Services

PERFORMANCE Your contract defines all the services we will provide, including availability, performance, data restitution and regular reports on usage and activity

SCALABILITY Add and remove data, users, sites, and tools freely as your workload ebbs and flows – without giving up any functionality

PREDICTABILITY Predictable total cost of ownership – eliminate unexpected costs from outdated internal support systems

RELIABILITY 24x7x365 proactive monitoring and remote support to provide guaranteed uptime on standardized tested platform

SECURITY Increased quality and security – leave IT to an expert team and redirect your time, money and resources toward core competencies

CONTROL Carestream follows the precise directions of your designated internal expert – and you always own your data

34

Vue Cloud Community Connect + Collaborate

Imaging Center

Town Hospital

University Hospital

Radiologist

Referring Physician

Expert

Rural Clinic

Shared Data

Shared Workflow

Teleradiology

Share Expertise

Consultation

35

Cloud Delivers Integrated Diagnostics at the Point of Care

36

p.37

© 2011, Carestream Health

Patient Portal Search Screen

37

p.38

© 2011, Carestream Health 38

p.39

© 2011, Carestream Health 39

Coming soon: MyVue, a Portal for Patients

Patient completes exam

Patient receives email from

hospital staff

Checks out with Imaging Admin

Patient shares results with specialists

Logs on with info from email

Patient owns his imaging record, shares on-demand

when needed

Continues with own treatment/care

• Consent Management • Security / Sharing protocols • Unlimited expansion • EHR Patient Portal Services

Hospital Ownership:

40

p.41

© 2011, Carestream Health

41

p.42

© 2011, Carestream Health 42

p.43

© 2011, Carestream Health 43

p.44

© 2011, Carestream Health

44

p.45

© 2011, Carestream Health

45

p.46

© 2011, Carestream Health

46

p.47

© 2011, Carestream Health

47

p.48

© 2011, Carestream Health

48

p.49

© 2011, Carestream Health

More on www.carestream.com/cloud 49

Summary

• Overcome scarcity by leveraging expertise and capacity in the cloud

• Focus on innovation, rely on the ecosystem for services outside your core competency

• Adopt standards and best practices leveraging worldwide models

50

Additional Sources of Information:

51

• Intel® Cloud Builders • Open Data Center Alliance (ODCA) • Cloud Security Alliance (CSA) • European Network and Information Security Agency (ENISA) • Healthcare Blogs – Intel® Healthcare IT Professionals • Whitepapers

– CARESTREAM* Increasing the Scalability of Medical Imaging Solutions – Secure Healthcare Cloud (TXT whitepaper) – VMware* and Intel® 10GbE Best Practices – Securing the Enterprise with Intel® AES-NI – Enhanced Cloud Security with HyTrust* & VMware*

– Taking Control of the Cloud for your Enterprise – Unified Networking with Cisco* Virtualized Multi-Tenant Data Center*

• Videos – Cloud Security: Built from the Ground Up – Trusted Execution Technology – Virtualization Demo/Animation – CARESTREAM* SuperPACS™ architecture at Clalit Health Services

• Intel® Virtualization Technology (Intel® VT) – Provides flexibility and maximum system utilization by consolidating multiple environments into a single server, workstation, or PC

• Intel® vPro™ Technology – Designed specifically for the needs of business, notebooks and desktops with Intel® vPro™ technology have security and manageability built right into the chip

• Intel® Trusted Execution Technology (Intel® TXT) – Protect confidentiality and integrity of business data against software-based attacks.

• Intel® Anti-Theft Technology (Intel® AT) – Providing the option to activate hardware-based client-side intelligence to secure the PC and its data in the event the notebook is lost or stolen

• Intel® AES New Instructions (Intel® AES-NI) – The Advanced Encryption Standard (AES) algorithm is now widely used across the software ecosystem to protect network traffic, personal data, and corporate IT infrastructures

• Intel® Identity Protection Technology (Intel® IPT) – Two-factor authentication directly into the processors of select 2nd generation Intel® Core™ processor-based PCs

• Intel® Cloud Access 360 – Protection Enterprise Access to Cloud and Protecting Enterprise Applications in the Cloud

• Intel® Expressway Service Gateway – High performance security, xml acceleration and routing. Cross-domain service mediation, threat prevention, policy enforcement. Interoperable ESB gateway

• McAfee Cloud Security Platform* – Consistent security policies, reporting, and threat intelligence across all cloud traffic—now available from a single platform

• Intel® Scale-out Storage – Tackle your data center’s challenges with enterprise storage solutions powered by the world’s most advanced multi-core architecture

• Intel® Solid State Drives – High performance, Self-Encrypting Solid State Drives for protecting sensitive data at rest

• Intel Unified Networking – Unified Networking enables cost-effective connectivity to the LAN and the SAN on the same Ethernet fabric

Intel Technologies

52